Copy-Fail: Linux Privilege Escalation
A critical Linux kernel vulnerability, dubbed Copy-Fail, allows unprivileged local users to escalate privileges to root on systems built between 2017 and the patch release. The flaw affects nearly all mainstream Linux distributions by exploiting the kernel crypto API (AF_ALG), which is enabled by default. While no remote exploitation is possible, the bug significantly increases risk in multi-tenant, containerized, or CI environments.
- ▪The Copy-Fail vulnerability affects Linux kernels built between 2017 and the patch, covering most mainstream distributions.
- ▪It requires only an unprivileged local account and exploits the default-enabled kernel crypto API (AF_ALG).
- ▪Systems at highest risk include multi-tenant hosts, Kubernetes clusters, CI runners, and cloud SaaS platforms executing user code.
- ▪The vulnerability enables local privilege escalation to root, making it a serious post-exploitation threat even without remote access.
- ▪Distributions confirmed affected include Ubuntu, Amazon Linux, RHEL, SUSE, and others running vulnerable kernel versions.
Opening excerpt (first ~120 words) tap to expand
Who is affected If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope. Copy Fail requires only an unprivileged local user account — no network access, no kernel debugging features, no pre-installed primitives. The kernel crypto API (AF_ALG) ships enabled in essentially every mainstream distro's default config, so the entire 2017 → patch window is in play out of the box. Distributions we directly verified: DistributionKernel Ubuntu 24.04 LTS6.17.0-1007-aws Amazon Linux 20236.18.8-9.213.amzn2023 RHEL 10.16.12.0-124.45.1.el10_1 SUSE 166.12.0-160000.9-default These are what we tested directly.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Xint.
Discussion
0 commentsMore from Xint
